1
Mr. D.PRAVEEN, 2Miss.T.BHAVANI, 3Mr.DEVIREDDY VENKATARAMI REDDY
1
PG Scholar, ECE, Madhira Institute of Technology & science, Chilkur, Nalgonda, India
2
Assistant Professor in ECE, Madhira Institute of Technology & science, Chilkur, Nalgonda, India
3
Assistant Professor in ECE, Madhira Institute of Technology & science, Chilkur, Nalgonda, India
1
dvenkataramireddy@gmail.com, 2praveen.dirisanapu@gmail.com
Abstract: Cryptographic methods are used to protect condential information against unauthorized modication
or disclosure. Cryptographic algorithms providing high assurance exist, e.g. AES. However, many open problems
related to assuring security of a hardware implementation of a cryptographic algorithm remain. Security of a
hardware implementation can be compromised by a random fault or a deliberate attack. The Traditional testing
methods are good at detecting random faults, but they do not provide adequate protection against malicious
alterations of a circuit known as hardware Trojans. For example, a recent attack on Intels Ivy Bridge processor
demonstrated that the traditional Logic Built-In Self-Test (LBIST) may fail even the simple case of stuck-at fault
type of Trojans. In this paper, we present a novel LBIST method for Feedback Shift Register (FSR)-based
cryptographic systems which can detect such Trojans. The specic properties of FSR-based cryptographic systems
allow us to reach 100% single stuck-at fault coverage with a small set of deterministic tests. The test execution
time of the proposed method is at least two orders of magnitude shorter than the one of the pseudo-random
pattern-based LBIST. Our results enable an efficient protection of FSR-based cryptographic systems from random
and malicious stuck-at faults.
From the examples above, the reader may see that A cell with with is neither controllable cell, nor
none of ANFs uses the same variable twice. observable cell, is called an internal cell.
Furthermore, the same variable does not occur in more
than one ANF. In addition, the same index is not used as The state of an FSR is a binary vector of values of
both input and output, i.e. if f i is non-trivial, then the its state variables (x 0, x1, ... , xn1). At every clock
state variable xi is not used. These typical features of cycle, the next state
ANFs used in cryptographic systems follow from the
requirements for the cryptographic security of Boolean The traditional LBIST typically employs a Linear
functions [3]. FSR (LFSR) to generate pseudo-random test patterns
that are ap-plied to the circuit under test and a
Any n-variable Boolean function represented in Multiple Input Signature Register (MISR) for
ANF can be implemented by a logic circuit consisting obtaining the compacted response of the circuit to
of a linear cascade of two-input XOR gates fed by AND these test patterns [11]. An incorrect MISR output
gates, one corresponding to each product-term of the indicates a fault in the circuit. Various techniques can
expression (1) with a non-zero be used to complement pseudo-random test patterns
constant ci, i {1, ... , 2n 1}. For example, the [12], [13].
function f287 of Trivium can be implemented by a circuit
shown in Fig. 1. A problem with the traditional LBIST is that many
pseudo-random patterns (several thousands or more)
B. Feedback Shift Registers need to be applied to reach a satisfactory fault
coverage. This implies that test execution time can be
An n-bit Feedback Shift Register (FSR) [10] too long for some applications [14].
consists of n binary storage elements, called cells or
stages (see Fig. 2). Each cell i {0, 1, ... , n 1} has an When the test mode is selected, the flip-flops with
associated state variable xi {0, 1} which represents multi-plexed inputs become inputs to the
the current value of the cell i and an feedback function fi combinational logic. The flip-flops which have a
: {0, 1}n {0, 1} of type switch on the output become outputs of the
fi(x0, x1, ... , xn1) = xi+1 gi(x0, x1, ... , xn1) combinational logic. As in a scan design, this increases
controllability and observability, making possible
testing a sequential circuit with tests for combinational
which determines how the value of i is updated, where logic.
TO FROM/TO INPUT
CONTROLLABLE OBSERVABLE OUTPUT
CELL
CELLS S
PASSED IF 0,
NOT PASSED IF 1 Test set T1
Fig. 5: The structure of the TRA. Outputs of TPG Expected
0E 0D 1 2 ... k output responses
A. Detecting faults in the combinational logic t1 0 0 0 0 ... 0 0
Suppose that each non-trivial function fi, i {0, 1, ...
t
2 0 1 1 1 ... 1 1
, n 1}, is implemented by a logic circuit consisting of a t3 1 0 1 1 ... 1 0
linear cascade of two-input XOR gates fed by AND
gates, one corresponding to each product-term of the
ANF with a non-zero constant c i, i {1, ... , 2n 1}. LetT1 detects all single stuck-at faults at the inputs and
the size of the largest dependence set of functions f i be k
outputs of all XOR gates because it applies both 0 and 1
+ 1. For example, for Trivium, the size of the largest
dependence set is 5. For Grain-128, the size of the to every input and output of each XOR gate and an XOR
largest dependence set is 19. cascades always propagates any change to its outputs.
Either of 2nd and 3rd tests also detects all stuck-at-0
The TPG has k + 2 outputs 0E, 0D, 1, 2, ... , k which
faults at the inputs of all AND gates, since its set all
are connected to the test inputs of controllable cells of
inputs of all AND gates to 1s.
the FSR as follows. For all gi 6= 0, i {0, 1, ... , n 1}:
1) If the number of product-terms in the ANF of f i
is even, the output 0E of the TPG is connected The set T2, consists of k tests listed in the table
to the below. The test ti+3, i {1, 2, ... , k}, sets ith output of
cell i + 1. Otherwise, the output 0D of the TPG
is connected to the cell i + 1, where + is the TPG to 0 and all other outputs j {1, 2, ... , k}, j 6=
modulo n. i, to 1. T2 detects all single stuck-at-1 faults on the inputs
2) If |dep(gi)| j, then the output j of the TPG is of all AND gates. In general, the values set to 0E and 0D
connected to the cell corresponding to the jthdo not matter for the detection of faults. We set them to
variable in dep(gi), for j {1, 2, ... , k}. 0 and 1, respectively, to make the
functions:
I = {i | i dep( fi) (gi 6= 0)}.
1) At the test input of each controllable cell.
Suppose that I is ordered as i1 > i2 > ... > i|I|. Then the
2) At the output of each controllable cell. maximum distance between two controllable cells is
defined by
3) At the input of each observable cell.
4) At the output of each observable cell which is d = max(i j i j+1)
con-nected to the TRA.
for all i j I, j {1, 2, ... , |I|}, where + is modulo n.
The detection of faults can be carried out using the
follow-ing procedure. For example, for Trivium, d = 69 (between the
controllable cells 195 and 126). For Grain-128, d = 32
Procedure 1: (between the controllable cells 0 and 96).